Thanks to everybody for their support. With trace8 loglevel I saw the problem was with the Active directory group membership. I reverted to what I was using in apache 2.2 for that part: Require ldap-filter memberOf:1.2.840.113556.1.4.1941:=cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es Also, I removed AuthBasicAuthoritative off because it caused non-existent users to produce a 500 error instead of a 401. Again, thank you very much for the help! Eduardo Mayoral Jimeno (emayoral@xxxxxxxx) Administrador de sistemas. Departamento de Plataformas. Arsys internet. +34 941 620 145 ext. 5153 On 13/10/17 18:10, Eric Covener wrote: > Can you crank up the loglevel to trace8? I believe there are some > spurious error messages when authz modules are reporting their > individual results vs. getting rolled up to RequireAny. > > On Fri, Oct 13, 2017 at 11:46 AM, Eduardo Mayoral <emayoral@xxxxxxxx> wrote: >> Hi, Eric, >> >> Thanks for your fast answer. The reason for the provider aliases is >> that once I get this config working I would like to re-use it for about >> 6 different directories. >> >> However, I have tried to flatten the configuration according to your >> suggestion. I repeated the tests, exact same result. Flattened config >> follows: >> >> AuthType Basic >> AuthName "Xymon user" >> >> AuthBasicProvider file ldap >> AuthBasicAuthoritative off >> >> AuthLDAPURL "ldap://REDACTED:3268 >> REDACTED:3268/DC=arsyslan,DC=es?sAMAccountName?sub?(objectClass=*)" NONE >> AuthLDAPBindDN "REDACTED@xxxxxxxxxxx" >> AuthLDAPBindPassword "REDACTED" >> AuthLDAPGroupAttributeIsDN on >> AuthLDAPGroupAttribute member >> AuthLDAPMaxSubGroupDepth 3 >> >> AuthUserFile /etc/xymon/xymonusers.htpasswd >> AuthGroupFile /etc/xymon/xymongroups.htpasswd >> >> >> <RequireAny> >> Require group XymonUsers >> Require ldap-group >> cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es >> </RequireAny> >> >> >> Eduardo Mayoral Jimeno (emayoral@xxxxxxxx) >> Administrador de sistemas. Departamento de Plataformas. Arsys internet. >> +34 941 620 145 ext. 5153 >> >> On 13/10/17 16:47, Eric Covener wrote: >>> On Fri, Oct 13, 2017 at 10:06 AM, Eduardo Mayoral <emayoral@xxxxxxxx> wrote: >>>> Hi, >>>> >>>> I am trying to move a web application from httpd 2.2 to httpd 2.4 , >>> I don't think all of those provider-aliases are necessary. Did you a >>> try a more simpler/direct port of the config? >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >> > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|